@Andy_Wismer Thank you for your help!
Following that guide didn’t solve the problem. But it gave some new inspiration…
Spoiler: what I tried didn’t solve the problem either. But I did learn some new things, so that’s a win… I’m starting to think I’d better wait with wanting to solve this till I have a VPS running with a public IP/FQDN and a Let’s Encrypt certificate.
But if anyone has got any other viable ideas…
I decided to try with a custom key so I did the following.
create custom private key
# cd /var/lib/machines/nsdc/var/lib/samba/private/tls
# openssl req -newkey rsa:2048 -keyout myKey.pem -nodes -x509 -days 365 -out myCert.pem
Generating a 2048 bit RSA private key
...................+++
......................................+++
writing new private key to 'myKey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:NL
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:NSDC-MYHOST.ad.nethserver.home
Email Address []:
# chmod 600 myKey.pem
Edit /var/lib/machines/nsdc/etc/samba/smb.conf
tls enabled = yes
tls keyfile = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile =
Create /etc/e-smith/events/certificate-update/nsdc-cert
#!/bin/bash
cp -f /etc/pki/tls/private/myKey.key /var/lib/machines/nsdc/var/lib/samba/private/tls/myKey.pem
cp -f /etc/pki/tls/certs/myCert.crt /var/lib/machines/nsdc/var/lib/samba/private/tls/myCert.pem
chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/myKey.pem
chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/myCert.pem
Reboot the server
test ssl in Prosody container
Copy the Certificate to the prosody container
docker cp myCert.pem docker-jitsi-meet_prosody_1:/usr/share/ca-certificates/myCert.crt
In the prosody container: add the certificate to trusted CA’s
dpkg-reconfigure ca-certificates
Test the ssl connection
openssl s_client -showcerts -connect 192.168.10.10:636
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = NL, L = Default City, O = Default Company Ltd, CN = NSDC-MYHOST.ad.nethserver.home
verify return:1
---
Certificate chain
0 s:C = NL, L = Default City, O = Default Company Ltd, CN = NSDC-MYHOST.ad.nethserver.home
i:C = NL, L = Default City, O = Default Company Ltd, CN = NSDC-MYHOST.ad.nethserver.home
-----BEGIN CERTIFICATE-----
MIIDqTCCApGgAwIBAgIJAKm4TXsLKASyMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV
BAYTAk5MMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
Q29tcGFueSBMdGQxJzAlBgNVBAMMHk5TREMtTVlIT1NULmFkLm5ldGhzZXJ2ZXIu
aG9tZTAeFw0yMTAzMjIxNTU1MTBaFw0yMjAzMjIxNTU1MTBaMGsxCzAJBgNVBAYT
Ak5MMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29t
cGFueSBMdGQxJzAlBgNVBAMMHk5TREMtTVlIT1NULmFkLm5ldGhzZXJ2ZXIuaG9t
ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALYIkOHSlTw0WfisQp4p
H5vULL83OsZDy/amdg0wl/PQ/Rmn4L3S5qHF8aultm/GoH4wZhdAIESCaO32YMjr
ggtFBEbQvEsiFflep1Mqqifs6c3ZkXHLq8Aq/Tvy6NvkoroKnyFaUggYb8FT9Az5
SOZjDOKA9cC/AFLNZPjzmCWOcG5rTKLglkPbH5nGPJx4cNZK2cfALBiyj+U23yXP
Zy225eUwGRK2PboeANlotq/ZvzDLIDrhGqKj7CVJ71ZNyT58p9wCRmEznOq8D/Yv
7AzMcj0TVBwDeb7gWM3BesfuYX9YJOFWBT+7CYraOSM7IVZLmhoeOt6LbqFgRKVJ
DOcCAwEAAaNQME4wHQYDVR0OBBYEFFitE1IXR1/ceQOV9lyY+JI5tX/NMB8GA1Ud
IwQYMBaAFFitE1IXR1/ceQOV9lyY+JI5tX/NMAwGA1UdEwQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggEBAHDZc7auJjg1nDRPib+JzOTGAULU4FxwsJdMMOuVMxMvsNJr
1nJywTxBaad2/3EnJ/Vb0IM4RgE2qaer6EeIZ8xPa1Jixblle1S/6f+euIINz7RN
vsRwhUssNOM27Z9UHkLcktsx3gAnr6n/uKnq6oYGOWzk4gULB59fFqS+WorEcuY1
kdDxSMuKVuUx3uqPzOBVJiiAprwl5WLVYtfDF4lAbTrZJs8lce2Cq8lBjLkDhlGY
efwJYWdbCADeAAwkDn1AUmJ75QnhoGf4dFAf4PG3khiJRW4dstBKN93QK8eC/MtA
wTCjWAG+ycJ5LO3ICvh9yvItqKVzkMSGH2UFUBo=
-----END CERTIFICATE-----
---
Server certificate
subject=C = NL, L = Default City, O = Default Company Ltd, CN = NSDC-MYHOST.ad.nethserver.home
issuer=C = NL, L = Default City, O = Default Company Ltd, CN = NSDC-MYHOST.ad.nethserver.home
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA224:DSA+SHA224:ECDSA+SHA224
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1489 bytes and written 421 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 74A58560D0D857094E3A554106A41BD21CCCDD1650EBC3C2EACE443FF46D41F4
Session-ID-ctx:
Master-Key: 73E21C2AAD477FDC4CA5C68803F60089290B349986BE202DC9DFC7F313DD2B4A6AD15ED854193190E959E4E8BDBCEFDA
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1616434177
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
closed
Succes !
testing saslauthd
in prosody container I first used the ldapsearch commands as in this guide These ldapsearch commands all succeed.
testsaslauth still fails:
testsaslauthd -u NSuser -p PassWord -r nethserver.home -s xmpp
0: NO "authentication failed"